CVE-2025-34318
MEDIUMIPFire < 2.29 (Core Update 198) - Authenticated Stored Cross-Site Scripting via DNS Creation Parameters
Title source: llmDescription
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD, ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD parameters when adding a new DNS entry. When a user adds a DNS entry, the application issues an HTTP POST request to /cgi-bin/dns.cgi and these values are provided in the corresponding parameters. The values are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected DNS configuration.
References (3)
Core 3
Core References
Various Sources vendor-advisory
patch
https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/ipfire-stored-xss-via-dns-creation-proxy-cgi
Issue Tracking issue-tracking
https://bugzilla.ipfire.org/show_bug.cgi?id=13893
Scores
CVSS v4
5.1
EPSS
0.0048
EPSS Percentile
37.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
IPFire.org/IPFire
< 2.29 (Core Update 198)
Published
Oct 28, 2025
Tracked Since
Feb 18, 2026